Alexei Czeskis

University of Washington, Seattle

"Practical, Usable, and Secure Authentication and Authorization on the Web"

User authentication is a critical part of many systems. As strong cryptography has become widespread and vulnerabilities in systems become harder to find and exploit, attackers are turning toward user authentication as a potential avenue for compromising users. Unfortunately, user authentication on the web has remained virtually unchanged since the invention of the Internet. I will present three systems that attempt to strengthen user authentication, and its close cousin authorization, on the web while being practical for developers, usable for users, and secure against attackers. First, I will discuss Origin Bound Certificates -- a mechanism for tweaking Transport Layer Security (TLS) that can then be used to strongly strengthen the authentication of HTTP requests by binding cookies (or other tokens) to a client certificate. This renders stolen cookies unusable by attackers. Second, I will present PhoneAuth, a system for protecting password-based login by opportunistically providing cryptographic identity assertions from a user's mobile phone while maintaining a simple and usable authentication experience. Third, I will describe ongoing research into how a class of web vulnerabilities called Cross-Site Request Forgeries (CSRFs) can be fundamentally prevented using Allowed Referrer Lists. I'll discuss the next big challenges in user authentication and conclude with several examples of where authentication matters beyond the web.

Bio: Alexei Czeskis is a 5th year PhD student at the Security and Privacy Research Lab at the University of Washington Department of Computer Science and Engineering. His primary research is focused on authentication - one of the most important, yet challenging aspects of computer security. Alexei is interested in user authentication in highly adversarial settings (e.g., on the web), in feature - constrained environments (e.g., on a mobile phone), and in a variety of other situations such as under duress. He also explores authentication in a range of devices - from powerful desktop computers and mobile phones to resource constrained embedded devices (e.g., RFIDs or automotive systems). Besides the technical nature of the systems, he is also interested in how the systems interact with users - where they work well together and where they break down - and how the security and privacy of these user - facing systems can be improved.



Zeit: Donnerstag, 07.03.2013, 10.30 Uhr
Ort: MPI-SWS Gebäude Kaiserslautern, Raum 206
Hinweis: Der Vortrag wird live zum MPI-SWS Gebäude nach Saarbrücken, Raum 029 übertragen.